Secure Software Development: A 3-Phase Battle-Tested Security Approach
When executed correctly, a structured security approach prevents costly breaches, fosters a security-first culture, and ensures the success of your software projects. Read on for insights, best practices, and actionable steps from our 3-phase, battle-tested strategy.
When working on a demanding software product, it can be easy for teams to prioritize hitting growth targets and deadlines over security. The wake-up call comes when a breach occurs, and the price of that lesson can be steep. A security breach can harm your company’s reputation, cost you customers, and even lead to legal action.
At Whitespectre, we’ve developed a three-phase security approach that we've battle tested with multiple clients. Read on as we break this down step by step.
Phase 1: Make sure you’ve implemented the key best practices
As Nick Tudor, Whitespectre’s CEO explains, “Security is ongoing. Whenever we design, write, review and test code, we lean on our experience and best practices to build robust, secure and scalable solutions. That's part of our craft as engineers.”
To foster a robust security culture within your organization, you want to empower your teams and processes with the right tools while instilling security habits in every aspect of their work. These three steps will help ensure comprehensive protection for your systems.
One thing to note - security best practices can be challenging to implement in cases where projects have been running for some time without them, or the development team is already overstretched. We’ve helped clients in this situation by providing support to strengthen their security processes and preparing them for initiatives like an ethical hacking audit by a 3rd party partner like Cobalt.
1. Educate the developer team on security
- Provide security training to enhance team awareness and knowledge.
- At a minimum, ensure familiarity with the OWASP Top Ten, a standard web application vulnerabilities list.
- Encourage mastery of secure development practices in their chosen language and framework.
- Conduct code reviews focusing on security to identify and rectify potential vulnerabilities, preventing issues from surfacing in later stages.
2. Automate security scanning
- Implement static analysis tools.
- This is technology (or even framework) dependent, but a good start is to look into this list.
- The goals are getting early feedback and enforcing good (secure) coding standards.
- Regularly monitor dependencies for known vulnerabilities or lack of support, incorporating automation into your CI/CD pipeline.
3. Monitor and fix
- Monitor logs for suspicious activity and understand attack vectors
- Utilize log search tools and set up reports/alerts to spot anomalies or automated traffic.
- Consider employing tools like Splunk or an ELK stack (Elasticsearch, Logstash, Kibana) for efficient alerting on potential anomalies that require investigation. These tools also allow you to set alerts so that you are notified when something is going on and needs investigation.
- Train your QA team to identify and report security issues during testing.
- Prioritize the fixing of potential security vulnerabilities.
After being sure you are covering the basics of the project, you’re ready to have your system audited by a 3rd party. It will uncover unexpected gaps and provide you with a thicker layer of security.
Phase 2: Unmasking blindspots with ethical hacking
By employing ethical hacking, you can proactively discover and rectify security weaknesses before malicious actors exploit them. This is a type of security audit process where an external firm deliberately attempts to breach your system to identify vulnerabilities.
Why is this external attempt so crucial? Because your internal team instinctively focuses first on ensuring your system functions smoothly. It's like the dynamic between developers and quality assurance (QA) teams: one strives to build a functional system, while the other identifies weaknesses. Ethical hackers assume the responsibility of uncovering cracks so your team can avoid being caught by their own blind spots.
Let’s say your organization is onboard with the critical value that ethical hacking provides. Perhaps there’s a bigger security push or perhaps you’re preparing for a board or client audit. How do you best prepare for ethical hacking, implement the process effectively, and use it to strengthen security going forward?
Preparing the ground for the ethical hacking assessment is vital to ensure that the evaluation and fixing phases proceed smoothly. When working with our security partner, Cobalt, for penetration testing, we follow these three steps:
1. Prepare for the next round of ethical hacking
- Clearly define the scope and areas to be tested.
- Prioritize specific focus areas, such as critical functionalities or sensitive data.
- Provide ethical hackers with the necessary access and environments to conduct their assessments.
2. Evaluate the results
- Thoroughly review the findings and recommendations provided by the ethical hacking assessment, which contains:
- Type of vulnerability.
- The severity and potential impact on users or the company.
- Easily reproducible description.
- Identify vulnerabilities and prioritize them based on their severity and potential impact.
Vulnerability Report Example
Here’s an example of the level of detail that a vulnerability issue report from a penetration testing should have:
Title: Session token doesn't expire after successful logout
Affected URL: https://www.example.com/users/log_out
Proof of Concept:
- Successfully login to web applications as a valid user.
- Log out from the browser using the web logout functionality.
- Send one of the authenticated requests from the previous session to the burp repeater and forward the request again.
- Note that the response is successful, and thus, the old token is still valid.
An attacker accessing the old token on a machine that had the user logged in can keep using that account. Users logging out or changing passwords on their current device will not stop the attacker from using their account.
When logging out of one device, the server-side authentication should be invalidated so that all devices must re-authenticate.
3. Fix and retest
- Address the identified vulnerabilities promptly with your internal team.
- Retest the system in collaboration with the third party to ensure the efficacy of the remediation efforts.
Phase 3: Using learnings to improve and build a security-first culture
Penetration testing is essential to developing secure software, but it's just one step in the journey. Once you have the penetration test results, it's essential to use them to improve your software and processes.
Here are a few tips for making the most of penetration testing results:
1. Learn from the reported vulnerabilities
Conduct a "lessons learned" or "post-mortem" session with your team to discuss the identified vulnerabilities. This means more than just fixing the issues. You also need to understand the gaps in your software so that you can do better in the future.
For example, suppose many vulnerabilities are found related to authentication and authorization. In that case, you may need to provide more training to your team in this area or dig deeper into your framework to see if it can support authentication/authorization better.
2. Focus on improving your process and security culture
A steady and methodical improvement over a long time is more valuable than a heroic effort to improve security in one go:
- Enhance development practices through ongoing training, code reviews, and feedback from static code analysis tools
- Automate security testing and incorporate security tools into your CI/CD pipeline
- Set up automated notifications for unsupported dependencies or outdated library versions and proactively upgrade them
- Establish automated alert systems for detecting anomalies or suspicious activity instead of manually inspecting logs so that you can quickly address any potential security issues
3. Prepare for the next round of ethical hacking
Software and hackers constantly evolve, so scheduling periodic ethical hacking assessments is essential. The frequency will vary depending on the nature of your system and the technologies involved, ranging from every 6 to 24 months.
Remember, security is an ongoing process
Secure software is a non-negotiable for any organization looking to thrive in today's digital landscape. By instilling a security-first culture within your tech team, employing 3rd party ethical hacking, and continuously improving your software and processes - you safeguard your reputation, build trust with your customers, and keep cybersecurity threats at bay. The groundwork is challenging, but it pays off in the end.
Looking for an expert partner to support you in improving your security practices or preparing for ethical hacking? Reach out to us here.
Get more Whitespectre insights on building secure software: